From owner-freebsd-questions@FreeBSD.ORG Thu Dec 15 02:37:20 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B408D16A41F for ; Thu, 15 Dec 2005 02:37:20 +0000 (GMT) (envelope-from tedm@toybox.placo.com) Received: from mail.freebsd-corp-net-guide.com (mail.web-strider.com [65.75.192.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B30143D53 for ; Thu, 15 Dec 2005 02:37:19 +0000 (GMT) (envelope-from tedm@toybox.placo.com) Received: from tedwin2k (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id jBF2eKb11055; Wed, 14 Dec 2005 18:40:21 -0800 (PST) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "gwen" Date: Wed, 14 Dec 2005 18:37:06 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <20051214203437.GA17667@nvnsvch.org> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 Cc: caleb , freebsd-questions@freebsd.org, RW Subject: RE: pine X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Dec 2005 02:37:20 -0000 >-----Original Message----- >From: gwen [mailto:gwen@nvnsvch.org] >Sent: Wednesday, December 14, 2005 12:35 PM >To: Ted Mittelstaedt >Cc: RW; freebsd-questions@freebsd.org; caleb >Subject: Re: pine > > >* Ted Mittelstaedt (tedm@toybox.placo.com) [051214 15:22]: >> >> >> >> 'Can't do secure authentication with this server' >> > >> >If the server supports neither ssl, nor any form secure >> >authentication, there >> >nothing you can do to protect your password. >> >> Garbage. >> >> The first thing you can do is go out and shoo the crackers >> off the telephone pole who are tapped into your phone line >> and sniffing your passwords. >> >> Then you can ask your ISP to start locking the door to his >> NOC and kick out all the crackers who have sleeping bags in >> the NOC and are tapped into the ISP's ethernet cable from his >> router to his mail server. >> >> But the thing that would probably put your mind at ease the most >> is to stop going to Hollywood movies like The Net which make it appear >> as though crackers can magically sniff your cleartext passwords >> when they have access to the network between your >> PC and the ISP's mailserver. > >Have you ever seen the output of tcpdump? You see anything on the >same network as you. So any of the following *likely* situations >leaves your non-encrypted password open for sniffing: > >1) Wireless access, *any* wireless access. Er, WEP anyone? Do you really think if this poster is smart enough to figure out how to turn on SSL on pine that he hasn't already thought of that? >2) Cable modem pools, or any internet hookup where there's a communal >line shared. Nope either. If cable networks allowed unicast packets to flood every subscriber then it would knock all their subscribers offline. Consider the typical cable modem is a 2-3MB device. Now compare that the the average amount of bandwidth in use on a typical cable segment - we are talking hundreds of mbts. Your not going to stuff all that traffic down a cable modem. As for other communal networks, granted if such a network was plugged into a HUB and not a SWITCH then yes. How likely do you think that scenario is? Even 10/100 24 port switches are going for under $50 on Ebay these days, so those on complete shoestring networks have no excuse for keeping an ancient hub in service. Granted while you can flood a switch to force it into unicast mode, the network then crawls, lots of complaints result, miscreant soon taken care of. >3) public networks (OK, I know the scenario presented is for home >usage, but it's worth it to put this point here). Yes it is but the only public networks that fit this bill are wireless ones, like in an airport or coffee shop. Presumably the ISP has a SSL webinterface on their mailserver for this. But, if you know your going into this kind of area then change your password before leaving home, if you must use your pop client. >4) Any network where a computer has been at all compromised. I can insert a keyboard logger that will defeat any encryption you want. And if the ISP is compromised then the likelihood is their mailserver, which is a much softer target, will be compromised long before any network device. And once the attacker has the mailserver, he doesen't need the passwords anyhow. >5) Any ISP with untrustable SysAdmins (I've known this to happen). How is encryption on the password channel to the mailserver, which is admined by these untrustable sysadmins, going to help with -that-? >6) Almost a corrolary to 5) and 3); any ISP with a compromised machine. > if you don't trust your ISP to be competent, you may as well not use their mailserver then. Why would you use it? Email comes in off the Internet unencrypted, if they want to read your mail they can. >You cannot assume that there are not nasty sniffers on your line. >I have seen passwords sniffed out in all kinds of places. > So you figured out how to run a sniffer on a public wireless node. Ted >And with that, I go back into lurking mode. > >gwen. > gamergothgeekgrrl. > http://www.gw3n.com/ > >* martygreene shivvers > why is it so damn cold? > >-- >No virus found in this incoming message. >Checked by AVG Free Edition. >Version: 7.1.371 / Virus Database: 267.13.13/199 - Release >Date: 12/13/2005 >